Acknowledging the increasing sophistication, threat, and speed of those who would disrupt the interconnectedness of large U.S. financial institutions, federal banking regulators took a first step in crafting a rule that would add enhanced cybersecurity risk oversight and preparations.
Worries spur federal action
At an FDIC board meeting to consider issuing an advance notice of proposed rulemaking on this issue, Comptroller of the Currency Thomas Curry said:
“In the face of these [cyber] threats, we must ensure that U.S. financial entities that provide critical services to the financial sector remain vigilant and resilient because a cyber incident that affects the safety and soundness of one entity may harm the safety and soundness of others, and could end up having systemic consequences.”
In a press briefing before the meeting, an agency official said: “By targeting the firms and systems at which a cyber event would likely impact other firms in the broader financial sector, we’re hoping to increase not just the resiliency of the firm but the entire U.S. financial sector.”
Proposal affects biggest banks
While open to comment on all aspects of this advance proposal, the agencies expect it to three categories:
• Depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more.
• U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more.
• Financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve.
Agency officials also said that the proposal would apply to third parties that provide critical, core services to covered financial entities.
As proposed the announcement specifically would not apply to community banks, said FDIC Chairman Martin Gruenberg. However, the enhanced rules would operate within existing information technology/cyber response requirements and examination guidelines.
Said an agency official: “This isn’t new. It shouldn’t come as a surprise to the industry. It’s more of a difference in focus, to increase the focus of senior management and directors, and to establish appropriate cyber risk management.”
The enhanced rules would be more prescriptive than existing requirements for smaller financial institutions, agency officials explained.
5 categories of cyber risk standards
As described by an FDIC official during the hearing, the contemplated rule would have five categories of standards:
• Cyber risk governance—This would require a written cyber risk strategy approved by the board of directors. It would require cyber risk tolerances and risk appetite, also approved by the board of directors. It would establish a senior leader for cyber risk oversight independent of the business line management and with direct access to the entity’s board.
• Cyber risk management—This would integrate three lines of defense: Business units, an independent risk management group, and the audit function.
• Internal dependency management—This would assess the effectiveness of reducing cyber risk within internal dependencies and enterprise-wide. Also, it would maintain a current and complete awareness of all internal assets and business functions that support cyber risk management strategy.
• External dependency management—This would integrate an external dependency management strategy into the overall strategic risk management plan to address cyber risk. It would identify and manage real-time cyber risk in external dependencies.
• Incident response/cyber resilience and situational awareness—It would establish and maintain incident response plans, governance strategies, and the capacity to rapidly recover from a disruptive cyber event. It would establish protocols for secure offline storage of critical records, such as loan data, asset management account information, and daily deposit records, including balances and ownership details, in a data format to allow restoration by another institution or FDIC.
One of the few specifics in the advance proposal includes a requirement that sector-critical systems be recovered within two hours following a disruptive, corruptive, or destructive cyber event.
Such a recovery capability would need to be validated by testing. Also, it would be enabled by implementing “the most effective and commercially available controls,” the official said.
Curry emphasized the need for top-down awareness of cyber risk among the largest financial sector entities:
“The proposed standards require a covered entity to ensure that cyber risk management is sufficiently ingrained within its governance and management structures to remain effective during and after a cyber event,” he said.
Exam Council updates cyber risk FAQ
While the tool’s use is voluntary, banking agencies have encouraged its use, or of something similar, so financial institutions of all sizes can gauge their vulnerability against cyber threats.
[During the meeting regarding the proposed enhanced requirements for the largest institutions, Curry said the proposal “complements the cyber security assessment tool and other cybersecurity initiatives of the federal banking agencies and the FFIEC.”]
The FAQ guide answers questions and clarifies points in the Assessment and supporting materials based on questions received by the FFIEC members over the course of the last year.
For example, one question asks simply: “What is the value of the Assessment to management?”
Answer: “By using the Assessment, management will be able to enhance its oversight and management of the institution’s cybersecurity by doing the following:
• Identifying factors contributing to and determining the institution’s overall cyber risk.
• Assessing the institution’s cybersecurity preparedness.
• Evaluating whether the institution’s cybersecurity preparedness is aligned with its inherent risks.
• Determining risk management practices and controls that are needed or require enhancement and actions to be taken to achieve the desired state.
• Informing risk management strategies.